Dashboards & Visualizations

Why does if condition not work with stats values()?


Hi all, I have been trying to use if condition in stats values(). It is not working properly. I have used if conditions before and got results perfectly.


stats values(eval(if('FAILS'=="0",0,DATA))) as DATA


The fields "DATA" is calculated in the beginning. My requirement is that when there are no FAILS the DATA should be zero otherwise it should be the value which is calculated.  I am doing anything wrong here? Because even if the FAILS are there it is giving me result as 0. Please help me.

Labels (3)
Tags (2)
0 Karma

Revered Legend

It might be helpful if you could share some sample data, what your current output is and what is expected output.

Does your data looks like this sample runanywhere search?

|  makeresults 
|  eval FAILS=1, DATA=1
|  fields - _time
|  append
    [|  makeresults 
|  eval FAILS=0, DATA=3]
| append
    [|  makeresults 
|  eval FAILS=1, DATA=2] 
|  append
    [|  makeresults 
|  eval FAILS=0, DATA=4]
| append
    [|  makeresults 
|  eval FAILS=1, DATA=5] 
| stats values(eval(if('FAILS'=="0",0,DATA))) as DATA
0 Karma


Hi, @somesoni2 , the data is in json format. Here is one example.


"Group": "G1",




  and the data im calculating is MTTR.

.........[| streamstats count as start reset_on_change=true by STATUS
| where start=1
| streamstats count(eval(STATUS=="FAILURE")) as fails by STATUS
| eval fails=if(fails=0,null(),fails)
| filldown fails
| stats list(*) as * by fails| where mvcount(STATUS) = 2|eval MTTR=....]
|append[.....| chart count(Task_no) by Group STATUS
| table Group SUCCESS FAILURE]
| stats values(eval(if('FAILURE'=="0",0,MTTR))) as MTTR

Whenever there is no failures i want to make the MTTR as 0, if there are failures MTTR will be calculated by the query and i want to keep that result as it is. While using stats i am not able to achieve this condition. Where i went wrong in the query? Can you please help me.

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...